The discovery of Australian Medicare numbers being sold on the Dark Web points to a suspected (but not yet confirmed) eligible data breach
In July, a Journalist was allegedly able to purchase a Medicare card number on the Dark web for $30. Doubts have now been cast on the safety of health records on the Cloud as the Federal Government roll out the 'My Health Record' scheme. The 'My Health' initiative heralds the opt-in digitisation of health records in Australia, with individuals and medical staff able to access an electronic summary of a patient's key healthcare information via an internet portal.
Understanding how the Cloud benefits Australia National Health industryThe medical and health industries in Australia are subject to strict compliance regulations for data retention, storage and disposal (varies by State):
- All Patient Records (WA) have to be retained until the person is 25 years of age
- If they attend the practice or clinic within their next 15 years of life, the records must be retained
- If they do attend the practice or clinic within the next 15 years of life, their records can be archived or destroyed
- All backups of Patient Records have to be certified Dand are subject to annual audits
- With regard to the digitisation of Patient Records, the destruction of source documents - depending on the date of the records and the time of digitisation - can only be destroyed under specific conditions.
- The Cloud enables easy access to past records for comparison and diagnostic purposes for medical professionals.
The Cloud provides a modern and scalable storage solution for an industry with exponentially increasing data requirements.
The addressing the risk of Data breaches
This incident has arrived as the Notifiable Data Breaches Act awaits its February 2018 enforcement date.
It is not known if the appearance of Medicare numbers on the Dark Web is the result of a data breach, or incidental criminal activity.
Under the terms of the forthcoming legislation, an "eligible data breach" has occurred when:
- there is unauthorised access and disclosure of information; or loss of information where unauthorised access or disclosure is likely; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates
The unauthorised release of Medicare numbers could have the potential to cause harm, especially in conjunction with other details such as date of birth, name and residential address.
It is likely any compromise to the My Health Record portal would warrant public notification with the intention of maintaining public confidence. However the same action could also have the inverse effect, as we have seen this year.
While the Federal Government ventures to implement more Cloud-based strategies for such Departments and industries which handle private information, incidents like these will keep security as the primary public interest.
What will maintain public confidence in the Cloud for the Government will be reliable and automated tested software and database monitoring and a response-ready Disaster Recovery plan which enables remedial action to prevent the serious harm which could come with unauthorised access.